Uninsured – Underinsured Information Highway Motorists

On the information freeway, the vast majority of the population is driving ninety miles per hour (144 KPH) without insurance; this includes business entities as well. In the United States, as in many other countries as well, the law dictates that a person possess a minimum level of automobile insurance to protect the financial stability of other drivers, their property and themselves in the event of a crash. Most people would not be able to afford the expenses associated with a crash should it occur. We all tend to dislike insurance, but are infinitely pleased when we have it in a time of catastrophe right?

When it comes to cyberspace crime, it is all about identities and intellectual property. The largest business segment for cyber-criminals to target identities is in the retail marketplace. You might be pondering right now “Michael, no way! Banks are where the real money is!” Think about this for a moment; just one credit card is used at dozens, hundreds, maybe even thousands of retail establishments from every part of the world right? When is the last time you heard about a security breach at a credit card issuer like Visa or MasterCard?  Citibank comes to mind, but no one else. When is the last time you heard about a security breach at a retailer? I’d run out of fingers and toes counting them off to you.

According to the U.S. Census Bureau, three quarters of all U.S. business firms are classified as small businesses (Source: U.S. Census Bureau). The likelihood of consumers like you, doing business with any one of these firms is significant. Now for the next big question I want you to consider. How many of these small businesses are required to comply with Payment Card Industry PCI security mandates? Technically all merchants are supposed to comply with these guidelines however, anyone processing less than 1 million transactions a year must only claim compliance which is not verified. Do you think the honor system, wink-wink, is going to be effective at protecting your identity from criminals? I say “criminal” instead of “cyber-criminal” because without effective and fundamental information security controls in place, data theft of your credit card information and personally identifying information is ripe for the picking by dishonest employees, dishonest support vendors and cyber-criminals alike. According to Visa Inc., small merchants account for over 80 percent of compromise events (Source: VISA Inc.). Hackers love small businesses because they are usually not well protected. Regardless of size, any organization that is not protected will be targeted by cyber-criminals.

The PCI Security Standards Council is an open global forum. The Council’s five founding global payment brands, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc., all agreed to set security standards so on the positive side, we all have consistent standards. On the negative side, some of these requirements are antiquated by technological standards and must be updated in my opinion. For example, encryption; 3DES encryption is still authorized by the PCI consortium. 3DES was defeated in 2005.  For discussion purposes, AES is faster and has not been defeated. Why then has the requirements not been updated you ask? It is expensive to update the technology to support high encryption rather than low encryption. It really represents collusion between the PCI consortium and the financial institutions to “dumb down” security measures purely for business impact purposes.

Now that I’ve taken you on a brief tour of just one security component protecting consumers by mandating basic security standards are in place, I assure you that there are many other fundamental security measures that should be in place to protect consumers and corporations alike regardless of size that are not required, measured, tested or reported on currently. As a business entity, the lifeblood of that business is the customer and the customer can only support business if their financial identity is solvent. This symbiotic relationship will not thrive without vigilance on both sides. Merchants must protect their intellectual property, their customers, profits, etc. while consumers must play their part. Keeping their technology up to date and utilizing secure methods of conducting business or personal transactions is vital. The other facet is in demanding businesses handle your personal information with great care. Just like corporations come together for mutual benefit, like the members of the PCI consortium have, so to must consumers come together for mutual benefit.
Article first published as Uninsured – Underinsured Information Highway Motorists on Technorati.